mailing list archives
BlackICE unprivileged local user attack
From: "Paul Craig - Pimp Industries" <headpimp () pimp-industries com>
Date: Wed, 11 Aug 2004 16:56:53 +1200 (NZST)
"Its all about the Bling, B^!% () s and Fame!"
BlackICE PC protection / Server Protection
Tested on version v3.6.cno
Unprivileged local user disabling anyone from using BlackICE
(C) Paul Craig - Pimp Industries 2004
Blackice is a firewall developed by ISS, Blackice suffers from a local
attack where any user with access to the server can modify firewall.ini
and insert a corrupted firewall rule. Upon restart Blackice (blackice.exe
and blackd.exe) will crash, the applications catch the exception but will
fail to load.
This causes the firewall to be disabled for any user who attempts to run it.
When Blackice is installed a local file in C:\Program Files\ISS\Blackice
called firewall.ini is installed, however by default the ACL's on this
file are EVERYONE\FULL CONTROL.
This allow's any local unprivileged user to remove or modify the blackice
firewall rules, but if the attacker wanted to be sneakier, they could with
a simple guest account disable the firewall from running by inserting an
overly long firewall rule as seen below.
REJECT, 138, default, 1999-07-22 20:26:53, AAAAAAAAAAAAAAAAA.... , 2000,
(Aprox 1000 A's)
This will cause Blackice to crash when it is next restarted, but no
message, popup or warning is displayed to the user, even the 'eye' in the
taskbar will fail to load, giving the user no indication that the firewall
is not running.
The victim of this attack would simply think the firewall is 'corrupted',
or some how broken if they attempted to start it by hand, and unless they
were smart enough to edit firewall.ini by hand, they would probably think
to re-install Blackice, if they even noticed it was no longer running to
Although this is not a major flaw, it does give an unprivileged local user
a sneaky way of disabling the firewall, without obviously removing the
rules. This can be used to then exploit other daemons running on the
desktop or server that the firewall had previously protected. The method
of this crash is hard to diagnose for the average internet user and logs
nothing of the crash in any of the blackice logs by default.
Change ACL's on firewall.ini to stop EVERYONE having full control.
Pimp Industries is a privately owned New Zealand based security research
If you would like to contact Pimp Industries to discuss any nature of
business, please email us at headpimp () pimp-industries com
Personal Hello's to
Pinky, Mark Burnette, Security-Assessment.com and everyone from .nz
Head Pimp, Security Researcher
"Move fast, think faster"
- BlackICE unprivileged local user attack Paul Craig - Pimp Industries (Aug 11)